The sensitive information of 24 women diagnosed with HIV has been made available to individuals unauthorized to access that information. Despite the breach being discovered more than 7 months ago, the affected women have still not been notified.

The women were participating in an EmPower Women study at the University of California San Diego (UCSD). All 24 women had been diagnosed with HIV yet had not sought treatment. The HIV research study aimed to explore the reasons why those women had not sought treatment, specifically how substance abuse, domestic violence, trauma, and mental illness affected the decision to seek treatment and commit to treatment programs. To help recruit patients for the study, UCSD partnered with the non-profit organization Christie’s Place, which provides support to women diagnosed with HIV and AIDS.

The plan was to recruit 100 patients for the study and offer half of participants free support and counselling services and the other half were given the option of receiving standard services at Christie’s Place. The researchers would then monitor the outcomes of the two different groups.

The women’s names, audio recordings of interviews with study participants, and other sensitive information were stored in a database used to track clinical care. Access controls should have been implemented to ensure only individuals authorized to view the women’s confidential information could access the data. However, the database could be accessed by everyone at Christie’s Place.

An inewsource investigation revealed not only that the private and confidential information of study participants had been exposed, but despite UCSD being made aware of the privacy violation in October 2018, notification letters had not been issued.

Lead researcher of the study, Jamila Stockman, associate professor at UCSD and Vice Chief of Global Public Health, was made aware that the database was available to all employees, interns, and volunteers at Christie’s Place by a mental health professional.

She brought the privacy breach to the attention of officials at UCSD and continued to push for notifications to be issued in meetings, emails, and study reports. As a result of the failure to take action over the breach, Stockman suspended the study in October 2018.

The failure to take prompt action and issue notifications would constitute willful neglect of HIPAA Rules and would be punishable with a fine in the highest penalty tier. However, the research was entirely funded by the UC system and, as such, is not subject to HIPAA Rules and is beyond the remit of the HHS’ Office for Civil Rights.

Christie’s Place was accused of deliberately adding patient information to the database with full knowledge that it could be accessed by everyone in an effort to inflate the number of patients participating in the study and bill the County of San Diego for more services. That allegation has been denied.

Christie’s Place issued a statement to inewsource confirming its internal investigation concluded there had been no wrongdoing and that “Christie’s Place did not misuse client data, did not breach client data to inflate patient numbers, did not misrepresent the services we provided, and did not improperly bill the County of San Diego.”

After being notified about the breach, UCSD instructed Empower Women to draft a breach notification letter, but the sending of that letter was repeatedly delayed. In March 2019, the decision was finally taken to to inform the study participants about the breach, but there was a further delay as before those notifications could be issued, UCSD wanted to ensure that all study data was securely deleted from Christie’s Place systems. UCSD now plans to send notification letters in the next 2-3 weeks.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.